If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

The best method to prevent session hijacking is to make sure an attacker cannot find out another user’s session ID. This means you should design your application and its session management keeping following things in mind:
1. An attacker cannot guess a valid session ID by using enough entropy.
2. There is no other way for an attacker to obtain a valid session ID by known attacks like sniffing the network communication, Cross-Site Scripting etc.

One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again. This is not a cure-all, but can help in some cases, in particular someone sniffing the cookies on a non-https connection (another good reason to use https?).

It's also a good idea to make the user log in any time they hit a particularly sensitive page and their last log-in was more than some arbitrary time in the past.

One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again.

I would not suggest using the IP for tracking purposes, because a single user can use a different IP address for each request (the request might come from a different proxy). Also, multiple users might use the same IP address (many computer labs use an HTTP proxy).

(Would seem to agree that the best way is to make the session ID as unknowable as possible (high entropy on the ID, must use HTTPS, note the PHP session settings) and not try to detect changes via IP, user agent header, etc.)

"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation